Kernel-Exploit-Dojo (道場)

June 12, 2026 · View on GitHub

Kernel Exploit Dojo banner

Kernel-Exploit-Dojo (道場)

Overview

Kernel-Exploit-Dojo is a curated archive of 100+ Linux kernel exploitation CTF challenges, organized by bug class, exploitation primitive, final technique, difficulty, and solve count. The goal is to organize practical kernel pwn techniques such as UAF, heap spraying, pipe_buffer abuse, msg_msg, modprobe_path overwrite, and cred overwrite.

“Dojo” means a training place; this repository is intended as a practice-oriented archive for learning Linux kernel exploitation through CTF challenges.

Each challenge directory contains the original distribution files when available, exploit code, and a technical writeup.

Challenges are organized by year, and the top-level Challenge List works as an index to each challenge directory.

For technique-based navigation, see Techniques Index.

Note: Year folders are based on the actual event date, not necessarily the year shown in the CTF name.

Kernel-Exploit-Dojo (道場) は、100件以上の Linux Kernel Exploit CTF 問題を、Bug・Primitive・Final Technique・Difficulty・Solve数ごとに整理した技術索引です。

「道場」は練習・鍛錬の場という意味で、本リポジトリは CTF 問題を通じて Linux Kernel Exploit を学ぶための実践的なアーカイブです。

各問題ごとに配布ファイル、exploit、解説をまとめ、実戦的な kernel pwn 技術を復習できる形にしています。

各問題は年度別フォルダに整理しており、トップページの Challenge List から各問題へ移動できます。

技術別に探したい場合は Techniques Index を参照してください。

Note: 年度別フォルダは CTF 名の年ではなく、実際の開催年を基準にしています。

Disclaimer

This repository is for CTF learning and local lab environments only. Do not run the exploits on production systems or systems you do not own. All examples are intended to be executed inside isolated QEMU/CTF environments.

本リポジトリは CTF 学習およびローカル検証環境向けです。 実環境・第三者環境では絶対に実行しないでください。

Challenge List

Difficulty is based on exploit complexity, required kernel knowledge, and solve count.

Difficulty は exploit の複雑さ、必要な kernel 知識、solve 数をもとに主観的に分類しています。

CTFChallengeStatusDifficulty (Solves)BugPrimitiveFinal Technique
CakeCTF 2022welkermesolved / writeupVery-Easy (75)kernel calls user function pointerrun user code as kernelCC(PKC(0))
b01lers CTF 2026throughthewallsolved / writeupEasy (69)kmalloc-1024 UAFpipe_buffer reclaimDirty Pipe, /etc/passwd overwrite
ASIS CTF Finals 2025KListsolvedEasy (37)OOB writekernel memory writemodprobe_path overwrite
NexHunt CTF 2025belowsolved / writeupEasy (12)OOB read/writekernel read/writemodprobe_path overwrite
N1CTF 2025ktousolved / writeupEasy (38)logic flawskernel object pointer corruptionGOT overwrite
UIUCTF 2025Baby Kernelsolved / writeupEasy (53)customizable UAFtty_struct ops hijackmodprobe_path overwrite
NahamCon CTF 2025The Jumpssolved / writeupEasy (59)stack overflowkernel stack ROPkernel ROP, CC(PKC(0))
TCP1P CTF 2024K-Revengesolved / writeupEasy (4)customizable UAF + double freepipe-based kernel leak + AAWfreelist poisoning => modprobe_path overwrite
SECCON Beginners CTF 2024kbufsolvedEasy (8)uninit heap + OOB R/W + arbitrary seekOOB leak => AAR/AAWmodprobe_path overwrite
L3akCTF 2024xensolved / writeupEasy (?)stack buffer overflowkernel stack RIP controlkernel ROP, CC(IC)
SECCON Beginners CTF 2023driver4bsolved / writeupEasy (19)missing copy_from_user / copy_to_userAAR/AAWmodprobe_path overwrite / core_pattern overwrite
Midnight Sun CTF 2023 QualsSPD Dsolved / writeupEasy (?)unchecked ppos used as kernel stack buffer offsetkernel stack OOB read/writesaved RIP overwrite => ret2usr => CC(PKC(0))
ADDA CTF 2022KernauthsolvedEasy (11)TOCTOU racestruct cred overwritecred overwrite / commit_creds()
TSJ CTF 2022clipboard.kosolvedEasy (11)kmalloc-1024 UAFtty_struct overlap + function pointer hijackmodprobe_path overwrite
BackdoorCTF 2021babyKernelsolvedEasy (?)improper strlen() boundary checklinked-list pointer overwritemodprobe_path overwrite
K3RN3LCTFEasy kernel is still kernel right?solved / writeupEasy (16)stack leak + stack BOFcanary leak + KASLR leak + kernel ROPCC(PKC(0)) + KPTI trampoline
3kCTF-2021echosolved / writeupEasy (9)unsafe syscall8-byte AAR/AAW + physmap leakmodprobe_path overwrite
m0leCon CTF 2020 Teaserbabyksolved / writeupEasy (20)stack BOFsaved RIP controlCC(PKC(0)) + kernel ROP
0xFUN CTF 2026Phantomsolved / writeupEasy-Medium (45)mmap UAFdangling mmap, freed page reusecred overwrite, modprobe_path
THJCC CTF 2026Excalipipesolved / writeupEasy-Medium (17)allowing reuse of merge flagpage cache overwrite/bin/busybox overwrite
PatriotCTF 2025switchboardsolved / writeupEasy-Medium (53)kmalloc-32 UAFsmall-cache reclaim, controlled object reusemodprobe_path overwrite
M*CTF 2025 QualsProcrasti nationsolvedEasy-Medium (4)UAF + double free + broken custom allocator size confusionfake entry => AAR / AAWmodprobe_path overwrite
LINE CTF 2025TransmitsolvedEasy-Medium (10)trusted user pointer in TRANSMIT_FASTarbitrary kernel writemodprobe_path overwrite
TFC CTF 2025SLOTSsolved / writeupEasy-Medium (28)customizable UAFtty_struct ops hijackread global flag buffer
TsukuCTF 2025easy_kernelsolved / writeupEasy-Medium (12)UAF due to dangling global pointerkmalloc-32 UAF writeseq_operations->start overwrite + CC(IC)
TsukuCTF 2025xcachesolved / writeupEasy-Medium (5)UAF / double free in a dedicated kmem_cache objectSLUB freelist poisoning to corrupt the global object pointer tablemodprobe_path overwrite
smileyCTF 2025blarghsolved / writeupEasy-Medium (38)1-byte NULL write into kernel memoryread-only kernel text modificationpatch kernel function
Codegate CTF 2025 Preliminarypewsolved / writeupEasy-Medium (13)kmalloc-4096 UAFpipe_buffer reclaimDirty Pipe, /etc/passwd overwrite
BackdoorCTF 2024Kuwusolved / writeupEasy-Medium (4)double free, kmalloc-4096 UAFmsg_msg overlap + pipe_buffer leakDirty Pipe, /etc/passwd overwrite
HKCERT CTF 2024 (Qualifying Round)Flipper Herosolved / writeupEasy-Medium (10)arbitrary bit fliparbitrary kernel bit flipmodprobe_path overwrite
IERAE CTF 2024free2freesolved / writeupEasy-Medium (2)double freeheap overlapDirty Pipe, /etc/passwd overwrite
DownUnderCTF 2024Faulty Kernelsolved / writeupEasy-Medium (15)page cache map/writepipe_buffer page cache mappingpage cache overwrite (/etc/passwd)
IrisCTF 2024MemorywriteupEasy-Medium (42)kernel-to-user access side-channel via get_user()timing oracle for secret-dependent userland address accessrecover in-kernel flag bytes via page-fault timing side-channel
HITCON CTF 2023 QualsFull Chain - Wall Rosesolved / writeupEasy-Medium (17)global pointer double-freepipe_buffer overlapDirty Pipe / init_cred overwrite
idekCTF 2022Sofire=goodsolved / writeupEasy-Medium (7)global UAFptmx reclaim + stale list R/Wcore_pattern overwrite
TAMUctf 2022Shmeekysolved / writeupEasy-Medium (7)integer overflow in size calculationOOB read/write via shmvec_get/shmvec_setmodprobe_path overwrite
GrabCON CTF 2021Paassolved / writeupEasy-Medium (1)kernel format stringcpu_entry_area leak + pipe capture + AAWmodprobe_path overwrite
LINE CTF 2021pprofilesolved / writeupEasy-Medium (7)put_user misuseconstrained kernel write + oracle leakmodprobe_path overwrite
Union CTF 2021nuttysolved / writeupEasy-Medium (10)heap OOB read + signed arithmetic overflowtty_struct leak + heap OOB writemodprobe_path overwrite
GACTF2020forestsolvedEasy-Medium (1)customizable UAF + double freeseq_operations reclaimCC(PKC(0)) + kernel ROP
ASIS CTF Quals 2020Shared Housesolved / writeupEasy-Medium (7)off-by-one NULLfreelist poisoningmodprobe_path overwrite / kernel ROP
zer0pts CTF 2020meowmowsolved / writeupEasy-Medium (9)forward OOB R/Wtty_struct leak + fake tty_operations + AAWmodprobe_path overwrite
CTF@AC26 QualsEvent HorizonsolvedMedium (31)custom microcode VM bugcustom VM analysis, kernel code execution pathTBD
UofTCTF 2026uprobewriteupMedium (14)SUID uprobe arbitrary byte patchsingle-byte code patch (INT3 / 0xcc)passwd path redirection
HeroCTF_v7Safe Devicesolved / writeupMedium (7)stack overflowkernel stack ROPaarch64 kernel ROP, modprobe_path overwrite
GlacierCTF 2025Flip Flip Hooray!solved / author writeupMedium (18)arbitrary kernel address 1-bit XOR via custom syscallone-shot blind bit flip => multi-shot by flipping flips_leftmodprobe_path overwrite via stable physmap/direct-map alias
DownUnderCTF 2025backdoorsolved / writeupMedium (18)custom syscallkbase leak and kernel memory writemodprobe_path overwrite
MaltaCTF 2025 QualsWrite Flag Wheresolved / writeupMedium (16)custom syscallphysical memory write via direct mapcall modify_ldt
D^3CTF 2025d3kheap2solved / author writeupMedium (6)refcount bug / double freecross-cache overlap with msg_msg and pipe_bufferDirtyPipe-like /bin/busybox page cache overwrite
LA CTF 2025messengersolved / writeupMedium (10)3-byte overflow of msgutilpipe_buffer page corruptioncred search, cred overwrite
IrisCTF 2025Checksumzsolved / writeupMedium (39)OOB read/writerelative OOB R/W + kernel leakcore_pattern overwrite
HeroCTF v6Buaflletsolved / writeupMedium (4)kmalloc-8192 UAFUAF R/W + AAWtty struct => modprobe_path / Pipe => Dirty Pipe
SCTF 2024kno_puts revengesolved / writeupMedium (20)race condition / UAF writeuserfaultfd race + kmalloc-1024 freelist poisoning, msg_msg leak, tty_struct overlapfake tty_operations, modprobe_path overwrite
PatriotCTF 2024DirtyFetchsolved / writeupMedium (9)uninitialized stack leak + double-fetch racecanary/KASLR leak + race-won oversized length => kernel stack overflowkernel ROP, CC(PKC(0))
cr3 CTF 2024mov-cr3solved / writeupMedium (10)arbitrary CR3 writekernel AAR + cross-AS AARtask->mm->pgd => CR3 pivot
bi0sCTF 2024palindromaticsolved / writeupMedium (5)OOB + double freebuddy reclaim + pipe_buffer + msg_msg overlapDirty Pipe, /etc/passwd overwrite
BackdoorCTF 2023EmpDBsolved / writeupMedium (15)race UAFuserfaultfd racemodprobe_path overwrite
bi0sCTF 2022k32solved / writeupMedium (1)uninitialized heap read + heap object reuseheap leak + kernel text leak + RIP controlseq_operations overlap + register spill + stack pivot + CC(PKC(0))
CrewCTF 2022qKarachtersolved / writeupMedium (6)state inconsistency + u8 overflow + invalid kfreedouble free + overlapping objectsmodprobe_path overwrite
Securinets CTF Quals 2022xblobsolved / writeupMedium (4)TOCTOU open race + UAFUAF + kernel heap leak + AAWmodprobe_path overwrite
zer0pts CTF 2022kRCEsolved / writeupMedium (8)signedness OOBOOB => AAR/AAW => task traversal => stack leakCC(PKC(0)) + KPTI trampoline + userland ROP
SUSCTF 2022kqueue's revengesolved / writeupMedium (19)queue UAFseq_operations leak + userfaultfd reclaim + RIP controlCC(PKC(0)) kernel ROP
hxp CTF 2021日本旅行writeupMedium (4)double PTRACE_SYSCALL / ptrace state desyncsyscall path-filter bypassunchecked openat("/flag.txt") + sendfile
Hack.lu CTF 2021Stonks SocketwriteupMedium (12)UAF race on sk_user_datakernel RIP control via freed 32-byte object / function pointer calluserland shellcode => CC(PKC(0))
ASIS CTF Quals 2021Mini memosolved / writeupMedium (16)partial heap OOB (3-byte)msg_msg overlap => pipe_buffer leak => freelist poisoningmodprobe_path overwrite
TSG CTF 2021lkgitsolved / writeupMedium (7)duplicate-hash race UAFuserfaultfd race + kmalloc-32 UAF write / seq_operations leakmodprobe_path overwrite
Circle City Con CTF 2021sockcampsolved / writeupMedium (3)single-bit flip in task_structthread flag corruption (TIF_SECCOMP)inject shellcode => CC(PKC(0))
3kCTF-2021klibrarysolved / writeupMedium (2)race-based UAFuserfaultfd + tty_struct overlaptty_ops hijack + modprobe_path overwrite
Midnight Sun CTF 2021 QualsBrohammersolved / writeupMedium (18)arbitrary 1-bit kernel writephysmap PTE permission flipCC(PKC(0))
DiceCTF 2021hashbrownsolved / writeupMedium (7)resize race + value UAFuserfaultfd race + pipe_buffer UAF read/write/bin/busybox page cache overwrite
HITCON CTF 2020atomssolved / writeupMedium (17)missing vm_open() refcount bugfork()+munmap() UAF + msg_msg reclaimlock corruption => watchdog-triggered flag output
GACTF2020easy_kernelsolved / writeupMedium (2)UAF + stack OOB R/Wtcache poisoning + stack leak + stack BOF.fini hijack => kernel ROP
InCTF 2020lab9solvedMedium (5)heap OOB XOR writefreelist poisoning + tty_struct overlapmodprobe_path overwrite
TRX CTF 2026krwdwriteupMedium-High (15)deferred user pointer in delayed_workcross-mm usercopy via kworker active_mmBusyBox modprobe FSOP
THJCC CTF 2026僕と契約して、魔法少女になってよ!solved / writeupMedium-High (3)single-byte OOB overwritestruct file corruptionstruct file->f_mode overwrite
UofTCTF 2026extended-eBPFwriteupMedium-High (39)eBPF variable-shift range confusionmap value OOB R/Wmodprobe_path overwrite
BackdoorCTF 2025skernelwriteupMedium-High (5)kmalloc-64 UAFrace-assisted OOB leak/writekernel ROP, commit_creds(&init_cred)
BackdoorCTF 2025vibe-kodewriteupMedium-High (4)workqueue UAF raceFUSE-assisted kmalloc-4k UAF writedirty pagetable + TSS I/O bitmap abuse + QEMU fw_cfg physical write
CrewCTF 2025barelyontimewriteupMedium-High (3)logic bug, UAFUFFD-assisted UAF racekernel text overwrite
corCTF 2025zenerational-aurasolved / writeupMedium-High (5)crash syscallKASLR bypass via prefetchkernel panic log oracle
Full Weak Engineer CTF 2025cknotesolved / writeupMedium-High (2)kmalloc-32 UAFUAF read/write, freelist manipulationcred overwrite
DownUnderCTF 2025Rolling Aroundsolved / writeupMedium-High (4)custom eBPF ALU verifier bugeBPF stack OOB + AAR/AAWmodprobe_path overwrite
MaltaCTF 2025 Qualssecure-dwarfsolved / writeupMedium-High (8)custom DWARF bytecodeAAR primitiveread flag in kernel memory
TsukuCTF 2025new_erasolved / writeupMedium-High (4)1-byte NULL overflow in kmalloc-1k objectpipe_buffer->page LSB overwrite + PageJack page UAFstruct file->f_mode overwrite => /etc/passwd overwrite
DiceCTF 2025 QualsoboewriteupMedium-High (16)single-byte OOB overwriterefcount overwritekernel ROP, commit_creds(&init_cred)
KalmarCTF 2025decorewriteupMedium-High (10)executable path in core_patternrace conditionreplace target file with symlink
TRX CTF 2025/dev/memsolved / writeupMedium-High (4)/dev/mem accessKASLR bypass, physical memory R/Wtask list traversal, cred overwrite
HITCON CTF 2024 QualsSeccomp HellwriteupMedium-High (15)hidden backdoor / intended kernel interfaceCPL3=>CPL0 via LDT call gatemanual cred + seccomp patch
Codegate CTF 2024 PreliminaryPhysicalTestwriteupMedium-High (?)global backing_vma misuse / wrong VMA zapstale mmap mapping to freed physical pagesfops hijack => stack pivot => kernel ROP => CC(IC)
KalmarCTF 2024msrablesolved / writeupMedium-High (9)MSR exposureLSTAR leak + FMASK abuse + entry hijackCR4 disable => CC(IC) => KPTI return
KalmarCTF 2024MaestrowriteupMedium-High (11)uncleared DF in syscall / kernel mmap overwritekernel EIP controlzero-page shellcode or mmap-based kernel memory overwrite
N1CTF 2023n1subwriteupMedium-High (4)UAF with dangling pointer / broken slot managementfixed-offset 4-byte decrement on reclaimed pipe_buffer->flagspipe_buffer reclaim => Dirty Pipe-style page cache overwrite of /bin/busybox
SECCON CTF 2023 Qualsumemo / kmemosolved / writeupMedium-High (20/5)UAF + mmap ownership corruptionobject reuse => AAR / AAWmodprobe_path overwrite
zer0pts CTF 2023flippersolved / writeupMedium-High (5)OOB 1-bit flipsingle-bit heap corruptioncred capability bit flip / file refcount corruption
UIUCTF 2023Zapping a Setuid (1/2)writeupMedium-High (?)SUID / namespace abuseSUID binary relocation + library hijack / Cross-namespace mount graft + SUID preservationloader hijack / mount-tree SUID bypass
HITCON CTF 2022⛓️ Fourchain - KernelwriteupMedium-High (12)race / UAFuserfaultfd + UAF => msg_msg / pipe_buffer / sk_buffDirtyCred / kernel ROP
SECCON CTF 2022 Qualsbabypfsolved / writeupMedium-High (10)eBPF shift range verifier bugeBPF stack corruption + AAR/AAWmodprobe_path overwrite
DownUnderCTF 2022just-in-kernelwriteupMedium-High (11)custom VM/JIT instruction-boundary bypassJIT immediate shellcode + stack pivotkernel ROP + CC(PKC(0))
LINE CTF 2022ecrypt (fixed)solved / writeupMedium-High (7)broken mmap() + kernel pointer exposurekey_ptr overwrite + crypto oracle + AAWdirect cred overwrite
hxp CTF 2021trusty user diarysolved / writeupMedium-High (8)missing FOLL_WRITE in GUPpinned page write / COW bypasspage cache corruption => busybox shellcode injection
SECCON CTF 2021kone_gadgetwriteupMedium-High (5)backdoored syscall (RIP control + RSP=0)seccomp JIT + CR4 SMEP/SMAP bypassstack pivot + CC(PKC(0)) / panic dump via jmp flag.txt
pbctf 2021Nightclubsolved / writeupMedium-High (8)NULL-terminated heap OOBmsg_msg m_ts corruption + heap leak + SLUB freelist corruptionmodprobe_path overwrite
InCTF 2021MultiStoragesolved / writeupMedium-High (1)TOCTOU race + heap OOB writepage-cross heap overflow + heap feng shuicred overwrite
Google Capture The Flag 2021EBPFwriteupMedium-High (20)eBPF verifier type confusionforged PTR_TO_MAP_VALUE => AAR/AAWmodprobe_path overwrite
Pwn2Win CTF 2021Accessing the TruthwriteupMedium-High (8)UEFI password stack overflowRIP control in UEFI contextUEFI shellcode reads initramfs.cpio and scans flag
hxp CTF 2020kernel-ropsolved / writeupMedium-High (4)stack leak + stack BOFstack leak => kernel ROPFG-KASLR => ksymtab => CC(IC)
SECCON 2020 Online CTFkstacksolved / writeupMedium-High (4)race double freeUFFD heap reuse + seq_operations leak + AAWseq_operations pivot + CC(PKC(0)) ROP
HITCON CTF 2020sparkwriteupMedium-High (10)UAF by missing node refcount on graph linkfake spark_node reclaim => OOB distance-array read/writecred overwrite via spark_graph_query()
TastelessCTF 2020yaknotesolvedMedium-High (1)OOB index (signed/unsigned)type confusion => AAR/AAWmodprobe_path overwrite
Pwn2Win CTF 2020Trusted NodewriteupMedium-High (12)TA command interface / function-pointer disclosure / client-side misuseTA code pointer leak + hidden function invocationuse leaked TA address to call get_secret through android_get_increment
KalmarCTF 2026faultyunder analysis / TBDHigh (2)race condition (TOCTOU)TBDTBD
tkbctf5Hungry GoatswriteupHigh (1)sk_buff data_len corruptioncontrolled put_page() => page UAFpage UAF overlap => cred overwrite
DiceCTF 2026 QualscornelslopwriteupHigh (6)RCU UAF raceRCU callback hijackcross-cache pipe reclaim + IOPL fw_cfg initrd dump
WannaGame Championship 2025Johnny SinswriteupHigh (2)pipe_buffer page UAF via tee/link_pipe off-by-onepage UAFret2pt_regs via fake file_operations
N1CTF 2025N1khashwriteupHigh (7)delayed work UAFcontrol-flow hijack + stack pivotUAF reclaim + ROP + modprobe_path overwrite
ASIS CTF Quals 2025File No!writeupHigh (8)file->private_data R/W for regular filesseq_file private_data leak/hijack via procfs regular filefake seq_file + seq_operations hijack + stack pivot ROP
ToH CTF 2025kRWXsolved / author writeupHigh (0)arbitrary function pointer overwriteLKM text leak + KCFI-checked one-shot indirect callKCFI-compatible seccomp BPF JIT code execution
bi0sCTF 2025Kernel-MailinglistswriteupHigh (1)uninitialized lhead in broadcast mailunlink pointer write + kernel heap leakcross-cache reclaim into cred_jar and cred field nullification
D^3CTF 2025d3kshrmauthor writeupHigh (1)OOB page mapping in mmap fault handlerOOB struct page pointer mapping / read-only file page remap as RWDirtyPage-like read-only file overwrite via pipe_buffer + splice
KalmarCTF 2025Maestro RevengewriteupHigh (4)missing userspace stack validation in signal deliverykernel memory overwriteAccessProfile overwrite / privilege bypass
PwnMe CTF Quals 2025Hidden Key Recoveryunder analysis / TBDHigh (6)SMM secret + DMA writephysical write-what-where (TBD)SMM code patch / password-check bypass (TBD)
N1CTF 2024heap_masterwriteupHigh (7)UAF / stale pointer after kfreeCross-cache UAF on struct file / PTE corruptionDirtyPage-style PTE hijack, DMA-BUF assisted physical memory access, kernel text patch, nsjail escape
UIUCTF 2024Syscalls 2writeupHigh (8)kernel logic / policy bypassI/O via io_uring without normal fd allocationio_uring-based flag read / FD creation restriction bypass
L3HCTF 2024kpidwriteupHigh (1)find_vpid() reference-count misuse / put_pid() without get_pid()struct pid UAF + refcount increment primitiveDirty Pagetable + DMA-BUF arbitrary physical memory R/W
hxp CTF 2022one_byteauthor writeupHigh (5)1-byte arbitrary kernel writeone-shot 1-byte write-what-whereLDT call gate => ring0 shellcode
N1CTF 2022BabyuefiwriteupHigh (5)UEFI UiApp stack OOB / uninitialized lengthstack leak + stack overwriteUEFI boot option hijack to root shell
N1CTF 2022Fileunder analysis / TBDHigh (1)struct file refcount bugstruct file UAF / dangling fdDirtyCred-style struct file replacement
N1CTF 2022PraymoonwriteupHigh (0)kmalloc-512 double freeuser_key_payload OOB read / setxattr + userfaultfd reclaimAF_PACKET pg_vec USMA text patch
corCTF 2022Cache of CastawayswriteupHigh (2)6-byte OOB write in isolated slab cachecross-cache overflowleakless cred->uid overwrite via buddy allocator feng shui
Azure Assassin Alliance CTF 2022kkkunder analysis / TBDHigh (4)parser logic bughidden IOCTL reach (TBD)kernel heap corruption (TBD)
pbctf 2021Access Keyunder analysis / TBDHigh (1)8-bit refcount overflowUAF-style kmalloc-64 heap overlap (TBD)Secret bypass => controlled kernel function call (TBD)
corCTF 2021Fire of Salvationauthor writeupHigh (0)duplicated rule shallow copy UAFkmalloc-4k UAF + msg_msg AAR/AAW + UFFD-assisted AAWtask_struct walk + current->cred / real_cred overwrite with init_cred
corCTF 2021Wall of Perditionauthor writeupHigh (0)duplicated firewall rule UAFkmalloc-64 UAF + msg_msg AAR + pipe_buffer RIP + FG-KASLR bypassRetSpill ROP + __ksymtab symbol resolution + CC(PKC(0))
TRX CTF 2026🍼🤏🤏 revengewriteupVery-High (1)per-CPU stack pointer corruptionper-CPU stack pivotFSGSBASE + SWAPGS stack pivot
WannaGame Championship 2025Matrixauthor writeupVery-High (0)eBPF verifier range bugBPF stack pointer corruption => AAR/AAWcurrent cred replacement via init_task
TRX CTF 2025🍼🤏author writeupVery-High (0)unrestricted wrmsr ioctlarbitrary MSR writefake syscall GS / fake kernel stack + kernel ROP
m0leCon CTF 2024 Teaser🍼 One dream 🍼under analysis / TBDVery-High (0)one-shot arbitrary low-byte text patchrepeatable byte patch via LKM self-patching (TBD)ARM64 kernel/LKM text self-modification (TBD)
HITCON CTF 2024 QualsHalloweenauthor writeupVery-High (1)auth bypass + malformed write state corruption + shared grip raceOOB read/leak + jump-table OOB RIP controlkernel ROP via jump-table OOB => send_to_socket(flag)
KalmarCTF 2023hyper-kunder analysis / TBDVery-High (1)EPT management bug / guest-accessible hypervisor memory via GPA namespace confusionwritable EPT paging structures / guest-controlled second-stage translation (TBD)VMFUNC/EPTP switching abuse => host physical memory AAR/AAW (TBD)
WMCTF2022Ubuntu-revunder analysis / TBDVery-High (0)nf_tables set element validation bug inspired by CVE-2022-1972stack or kernel memory OOB write via crafted nftables netlink messages (TBD)TBD

Note: CC(PKC(0)) means commit_creds(prepare_kernel_cred(0)).

CC(IC) means commit_creds(&init_cred).

Techniques Covered

  • QEMU-based kernel exploit testing
  • LKM reverse engineering
  • Use-After-Free
  • stack overflow
  • kernel ROP
  • KPTI trampoline
  • ret2usr
  • KASLR bypass
  • FG-KASLR bypass
  • __ksymtab symbol resolution
  • SMEP / SMAP bypass
  • modprobe_path overwrite
  • core_pattern abuse
  • freelist poisoning
  • cred overwrite
  • race condition exploitation
  • userfaultfd-assisted exploitation
  • FUSE page-fault blocking
  • custom syscall abuse
  • custom VM / bytecode bugs
  • kmalloc cache reclaim
  • tty_struct hijacking
  • pipe_buffer reclaim
  • Dirty Pipe style exploitation
  • msg_msg spraying
  • seq_operations overlap
  • sk_buff exploitation
  • arbitrary read/write
  • page cache overwrite
  • kernel text overwrite
  • mmap-based dangling mapping
  • eBPF verifier / eBPF VM exploitation
  • DWARF bytecode VM exploitation
  • /dev/mem exploitation
  • ret2pt_regs
  • RCU UAF exploitation
  • MSR abuse
  • io_uring abuse
  • CR3 / page table manipulation
  • EPT / second-stage translation abuse
  • DirtyCred
  • LDT / call gate exploitation
  • UEFI exploitation
  • COW bypass
  • seccomp JIT abuse
  • hypervisor exploitation

Build and Run

Most exploits are intended to be compiled statically and executed inside the provided QEMU/initramfs environments.

Example:

gcc exp01.c -o exp01 -static

or

musl-gcc exp01.c -o exp01 -static

Exploit Verification Note

Exploit code in this repository is mainly intended for local CTF/QEMU environments.

Unless explicitly stated otherwise, exploits authored or modified in this repository were primarily tested locally against the provided challenge environment. They are not guaranteed to work on the original remote servers, patched challenge instances, different kernel builds, or different runtime configurations.

Remote services may use different kernels, mitigations, time limits, file systems, network wrappers, or deployment settings. Some exploits may require adjustment, stabilization, or additional environment-specific tuning.

本リポジトリ内の exploit code は、主にローカルの CTF/QEMU 環境での検証を目的としています。

特に明記していない限り、本リポジトリで作成・修正した exploit は、配布された challenge 環境に対してローカルでの動作確認を中心に行っています。 元の remote server、修正後の challenge instance、異なる kernel build、異なる実行環境での動作は保証していません。

remote 環境では kernel、mitigation、time limit、filesystem、network wrapper、deployment 設定などが異なる場合があり、追加の調整・安定化・環境依存の修正が必要になることがあります。

Large Files Policy

Large distribution files such as rootfs images, disk images, VM images, or archives may be omitted from this repository when they exceed GitHub's normal file size limit. In such cases, only the minimum files required for analysis are included, and an external download link or a note about the original distribution is provided when available.

GitHub の通常のファイルサイズ上限を超える大きな配布ファイルについては、本リポジトリに直接含めない場合があります。 その場合は、解析に必要な最小限のファイルのみを配置し、可能であれば外部リンクまたは元配布ファイルに関するメモを記載します。

Challenge Template

  • README.md — metadata and short summary
  • distribution/ — original challenge files
  • exploit/ — exploit source code and helper scripts, if available
  • writeup/ — original writeups, notes, and external references

Original challenge files are preserved for archival and analysis purposes. Some files may be intentionally vulnerable or unsafe to run outside isolated CTF/QEMU environments.

配布ファイルはアーカイブおよび解析目的で、可能な限り元の状態に近い形で保存しています。 一部のファイルは意図的に脆弱または危険な挙動を含むため、隔離された CTF/QEMU 環境以外では実行しないでください。

References

Acknowledgements

I would like to express my sincere gratitude to all CTF challenge authors who created these excellent kernel exploitation challenges.

Many of the techniques, exploit strategies, and implementation details in this repository were learned from public writeups, author writeups, and shared research notes. I deeply appreciate the authors of those writeups for documenting their approaches and making their knowledge available to the community.

This repository is intended as a personal learning archive and technical index. All credit for the original challenges belongs to the respective CTF organizers and challenge authors. All credit for referenced writeups belongs to their original authors.

謝辞

素晴らしい Kernel Exploit 問題を作成してくださった CTF 運営・問題作者の皆様に深く感謝します。

本リポジトリに含まれる多くの技術、exploit 方針、実装上の知見は、公開 writeup、author writeup、各種技術メモから多くを学んだものです。 解法や考察を公開し、知識を共有してくださった writeup 作者の皆様にも心より感謝します。

本リポジトリは、個人の学習記録および技術索引として整理しているものです。 各 CTF 問題の権利とクレジットは、それぞれの CTF 運営・問題作者に帰属します。 参照した writeup のクレジットは、それぞれの原著者に帰属します。